]> git.ipfire.org Git - thirdparty/hostap.git/blob - src/wps/wps.c
projects / thirdparty / hostap.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
WPS: Fix a potential memory leak on wps_init() error path
[thirdparty/hostap.git] / src / wps / wps.c
1 /*
2 * Wi-Fi Protected Setup
3 * Copyright (c) 2007-2009, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9 #include "includes.h"
10
11 #include "common.h"
12 #include "crypto/dh_group5.h"
13 #include "common/ieee802_11_defs.h"
14 #include "wps_i.h"
15 #include "wps_dev_attr.h"
16
17
18 #ifdef CONFIG_WPS_TESTING
19 int wps_version_number = 0x20;
20 int wps_testing_dummy_cred = 0;
21 #endif /* CONFIG_WPS_TESTING */
22
23
24 /**
25 * wps_init - Initialize WPS Registration protocol data
26 * @cfg: WPS configuration
27 * Returns: Pointer to allocated data or %NULL on failure
28 *
29 * This function is used to initialize WPS data for a registration protocol
30 * instance (i.e., each run of registration protocol as a Registrar of
31 * Enrollee. The caller is responsible for freeing this data after the
32 * registration run has been completed by calling wps_deinit().
33 */
34 struct wps_data * wps_init(const struct wps_config *cfg)
35 {
36 struct wps_data *data = os_zalloc(sizeof(*data));
37 if (data == NULL)
38 return NULL;
39 data->wps = cfg->wps;
40 data->registrar = cfg->registrar;
41 if (cfg->registrar) {
42 os_memcpy(data->uuid_r, cfg->wps->uuid, WPS_UUID_LEN);
43 } else {
44 os_memcpy(data->mac_addr_e, cfg->wps->dev.mac_addr, ETH_ALEN);
45 os_memcpy(data->uuid_e, cfg->wps->uuid, WPS_UUID_LEN);
46 }
47 if (cfg->pin) {
48 data->dev_pw_id = data->wps->oob_dev_pw_id == 0 ?
49 cfg->dev_pw_id : data->wps->oob_dev_pw_id;
50 data->dev_password = os_malloc(cfg->pin_len);
51 if (data->dev_password == NULL) {
52 os_free(data);
53 return NULL;
54 }
55 os_memcpy(data->dev_password, cfg->pin, cfg->pin_len);
56 data->dev_password_len = cfg->pin_len;
57 }
58
59 #ifdef CONFIG_WPS_NFC
60 if (cfg->wps->ap && !cfg->registrar && cfg->wps->ap_nfc_dev_pw_id) {
61 data->dev_pw_id = cfg->wps->ap_nfc_dev_pw_id;
62 os_free(data->dev_password);
63 data->dev_password =
64 os_malloc(wpabuf_len(cfg->wps->ap_nfc_dev_pw));
65 if (data->dev_password == NULL) {
66 os_free(data);
67 return NULL;
68 }
69 os_memcpy(data->dev_password,
70 wpabuf_head(cfg->wps->ap_nfc_dev_pw),
71 wpabuf_len(cfg->wps->ap_nfc_dev_pw));
72 data->dev_password_len = wpabuf_len(cfg->wps->ap_nfc_dev_pw);
73 }
74 #endif /* CONFIG_WPS_NFC */
75
76 data->pbc = cfg->pbc;
77 if (cfg->pbc) {
78 /* Use special PIN '00000000' for PBC */
79 data->dev_pw_id = DEV_PW_PUSHBUTTON;
80 os_free(data->dev_password);
81 data->dev_password = (u8 *) os_strdup("00000000");
82 if (data->dev_password == NULL) {
83 os_free(data);
84 return NULL;
85 }
86 data->dev_password_len = 8;
87 }
88
89 data->state = data->registrar ? RECV_M1 : SEND_M1;
90
91 if (cfg->assoc_wps_ie) {
92 struct wps_parse_attr attr;
93 wpa_hexdump_buf(MSG_DEBUG, "WPS: WPS IE from (Re)AssocReq",
94 cfg->assoc_wps_ie);
95 if (wps_parse_msg(cfg->assoc_wps_ie, &attr) < 0) {
96 wpa_printf(MSG_DEBUG, "WPS: Failed to parse WPS IE "
97 "from (Re)AssocReq");
98 } else if (attr.request_type == NULL) {
99 wpa_printf(MSG_DEBUG, "WPS: No Request Type attribute "
100 "in (Re)AssocReq WPS IE");
101 } else {
102 wpa_printf(MSG_DEBUG, "WPS: Request Type (from WPS IE "
103 "in (Re)AssocReq WPS IE): %d",
104 *attr.request_type);
105 data->request_type = *attr.request_type;
106 }
107 }
108
109 if (cfg->new_ap_settings) {
110 data->new_ap_settings =
111 os_malloc(sizeof(*data->new_ap_settings));
112 if (data->new_ap_settings == NULL) {
113 os_free(data->dev_password);
114 os_free(data);
115 return NULL;
116 }
117 os_memcpy(data->new_ap_settings, cfg->new_ap_settings,
118 sizeof(*data->new_ap_settings));
119 }
120
121 if (cfg->peer_addr)
122 os_memcpy(data->peer_dev.mac_addr, cfg->peer_addr, ETH_ALEN);
123 if (cfg->p2p_dev_addr)
124 os_memcpy(data->p2p_dev_addr, cfg->p2p_dev_addr, ETH_ALEN);
125
126 data->use_psk_key = cfg->use_psk_key;
127 data->pbc_in_m1 = cfg->pbc_in_m1;
128
129 return data;
130 }
131
132
133 /**
134 * wps_deinit - Deinitialize WPS Registration protocol data
135 * @data: WPS Registration protocol data from wps_init()
136 */
137 void wps_deinit(struct wps_data *data)
138 {
139 #ifdef CONFIG_WPS_NFC
140 if (data->registrar && data->nfc_pw_token)
141 wps_registrar_remove_nfc_pw_token(data->wps->registrar,
142 data->nfc_pw_token);
143 #endif /* CONFIG_WPS_NFC */
144
145 if (data->wps_pin_revealed) {
146 wpa_printf(MSG_DEBUG, "WPS: Full PIN information revealed and "
147 "negotiation failed");
148 if (data->registrar)
149 wps_registrar_invalidate_pin(data->wps->registrar,
150 data->uuid_e);
151 } else if (data->registrar)
152 wps_registrar_unlock_pin(data->wps->registrar, data->uuid_e);
153
154 wpabuf_free(data->dh_privkey);
155 wpabuf_free(data->dh_pubkey_e);
156 wpabuf_free(data->dh_pubkey_r);
157 wpabuf_free(data->last_msg);
158 os_free(data->dev_password);
159 os_free(data->new_psk);
160 wps_device_data_free(&data->peer_dev);
161 os_free(data->new_ap_settings);
162 dh5_free(data->dh_ctx);
163 os_free(data->nfc_pw_token);
164 os_free(data);
165 }
166
167
168 /**
169 * wps_process_msg - Process a WPS message
170 * @wps: WPS Registration protocol data from wps_init()
171 * @op_code: Message OP Code
172 * @msg: Message data
173 * Returns: Processing result
174 *
175 * This function is used to process WPS messages with OP Codes WSC_ACK,
176 * WSC_NACK, WSC_MSG, and WSC_Done. The caller (e.g., EAP server/peer) is
177 * responsible for reassembling the messages before calling this function.
178 * Response to this message is built by calling wps_get_msg().
179 */
180 enum wps_process_res wps_process_msg(struct wps_data *wps,
181 enum wsc_op_code op_code,
182 const struct wpabuf *msg)
183 {
184 if (wps->registrar)
185 return wps_registrar_process_msg(wps, op_code, msg);
186 else
187 return wps_enrollee_process_msg(wps, op_code, msg);
188 }
189
190
191 /**
192 * wps_get_msg - Build a WPS message
193 * @wps: WPS Registration protocol data from wps_init()
194 * @op_code: Buffer for returning message OP Code
195 * Returns: The generated WPS message or %NULL on failure
196 *
197 * This function is used to build a response to a message processed by calling
198 * wps_process_msg(). The caller is responsible for freeing the buffer.
199 */
200 struct wpabuf * wps_get_msg(struct wps_data *wps, enum wsc_op_code *op_code)
201 {
202 if (wps->registrar)
203 return wps_registrar_get_msg(wps, op_code);
204 else
205 return wps_enrollee_get_msg(wps, op_code);
206 }
207
208
209 /**
210 * wps_is_selected_pbc_registrar - Check whether WPS IE indicates active PBC
211 * @msg: WPS IE contents from Beacon or Probe Response frame
212 * Returns: 1 if PBC Registrar is active, 0 if not
213 */
214 int wps_is_selected_pbc_registrar(const struct wpabuf *msg)
215 {
216 struct wps_parse_attr attr;
217
218 /*
219 * In theory, this could also verify that attr.sel_reg_config_methods
220 * includes WPS_CONFIG_PUSHBUTTON, but some deployed AP implementations
221 * do not set Selected Registrar Config Methods attribute properly, so
222 * it is safer to just use Device Password ID here.
223 */
224
225 if (wps_parse_msg(msg, &attr) < 0 ||
226 !attr.selected_registrar || *attr.selected_registrar == 0 ||
227 !attr.dev_password_id ||
228 WPA_GET_BE16(attr.dev_password_id) != DEV_PW_PUSHBUTTON)
229 return 0;
230
231 #ifdef CONFIG_WPS_STRICT
232 if (!attr.sel_reg_config_methods ||
233 !(WPA_GET_BE16(attr.sel_reg_config_methods) &
234 WPS_CONFIG_PUSHBUTTON))
235 return 0;
236 #endif /* CONFIG_WPS_STRICT */
237
238 return 1;
239 }
240
241
242 static int is_selected_pin_registrar(struct wps_parse_attr *attr)
243 {
244 /*
245 * In theory, this could also verify that attr.sel_reg_config_methods
246 * includes WPS_CONFIG_LABEL, WPS_CONFIG_DISPLAY, or WPS_CONFIG_KEYPAD,
247 * but some deployed AP implementations do not set Selected Registrar
248 * Config Methods attribute properly, so it is safer to just use
249 * Device Password ID here.
250 */
251
252 if (!attr->selected_registrar || *attr->selected_registrar == 0)
253 return 0;
254
255 if (attr->dev_password_id != NULL &&
256 WPA_GET_BE16(attr->dev_password_id) == DEV_PW_PUSHBUTTON)
257 return 0;
258
259 #ifdef CONFIG_WPS_STRICT
260 if (!attr->sel_reg_config_methods ||
261 !(WPA_GET_BE16(attr->sel_reg_config_methods) &
262 (WPS_CONFIG_LABEL | WPS_CONFIG_DISPLAY | WPS_CONFIG_KEYPAD)))
263 return 0;
264 #endif /* CONFIG_WPS_STRICT */
265
266 return 1;
267 }
268
269
270 /**
271 * wps_is_selected_pin_registrar - Check whether WPS IE indicates active PIN
272 * @msg: WPS IE contents from Beacon or Probe Response frame
273 * Returns: 1 if PIN Registrar is active, 0 if not
274 */
275 int wps_is_selected_pin_registrar(const struct wpabuf *msg)
276 {
277 struct wps_parse_attr attr;
278
279 if (wps_parse_msg(msg, &attr) < 0)
280 return 0;
281
282 return is_selected_pin_registrar(&attr);
283 }
284
285
286 /**
287 * wps_is_addr_authorized - Check whether WPS IE authorizes MAC address
288 * @msg: WPS IE contents from Beacon or Probe Response frame
289 * @addr: MAC address to search for
290 * @ver1_compat: Whether to use version 1 compatibility mode
291 * Returns: 2 if the specified address is explicit authorized, 1 if address is
292 * authorized (broadcast), 0 if not
293 */
294 int wps_is_addr_authorized(const struct wpabuf *msg, const u8 *addr,
295 int ver1_compat)
296 {
297 struct wps_parse_attr attr;
298 unsigned int i;
299 const u8 *pos;
300 const u8 bcast[ETH_ALEN] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
301
302 if (wps_parse_msg(msg, &attr) < 0)
303 return 0;
304
305 if (!attr.version2 && ver1_compat) {
306 /*
307 * Version 1.0 AP - AuthorizedMACs not used, so revert back to
308 * old mechanism of using SelectedRegistrar.
309 */
310 return is_selected_pin_registrar(&attr);
311 }
312
313 if (!attr.authorized_macs)
314 return 0;
315
316 pos = attr.authorized_macs;
317 for (i = 0; i < attr.authorized_macs_len / ETH_ALEN; i++) {
318 if (os_memcmp(pos, addr, ETH_ALEN) == 0)
319 return 2;
320 if (os_memcmp(pos, bcast, ETH_ALEN) == 0)
321 return 1;
322 pos += ETH_ALEN;
323 }
324
325 return 0;
326 }
327
328
329 /**
330 * wps_ap_priority_compar - Prioritize WPS IE from two APs
331 * @wps_a: WPS IE contents from Beacon or Probe Response frame
332 * @wps_b: WPS IE contents from Beacon or Probe Response frame
333 * Returns: 1 if wps_b is considered more likely selection for WPS
334 * provisioning, -1 if wps_a is considered more like, or 0 if no preference
335 */
336 int wps_ap_priority_compar(const struct wpabuf *wps_a,
337 const struct wpabuf *wps_b)
338 {
339 struct wps_parse_attr attr_a, attr_b;
340 int sel_a, sel_b;
341
342 if (wps_a == NULL || wps_parse_msg(wps_a, &attr_a) < 0)
343 return 1;
344 if (wps_b == NULL || wps_parse_msg(wps_b, &attr_b) < 0)
345 return -1;
346
347 sel_a = attr_a.selected_registrar && *attr_a.selected_registrar != 0;
348 sel_b = attr_b.selected_registrar && *attr_b.selected_registrar != 0;
349
350 if (sel_a && !sel_b)
351 return -1;
352 if (!sel_a && sel_b)
353 return 1;
354
355 return 0;
356 }
357
358
359 /**
360 * wps_get_uuid_e - Get UUID-E from WPS IE
361 * @msg: WPS IE contents from Beacon or Probe Response frame
362 * Returns: Pointer to UUID-E or %NULL if not included
363 *
364 * The returned pointer is to the msg contents and it remains valid only as
365 * long as the msg buffer is valid.
366 */
367 const u8 * wps_get_uuid_e(const struct wpabuf *msg)
368 {
369 struct wps_parse_attr attr;
370
371 if (wps_parse_msg(msg, &attr) < 0)
372 return NULL;
373 return attr.uuid_e;
374 }
375
376
377 /**
378 * wps_is_20 - Check whether WPS attributes claim support for WPS 2.0
379 */
380 int wps_is_20(const struct wpabuf *msg)
381 {
382 struct wps_parse_attr attr;
383
384 if (msg == NULL || wps_parse_msg(msg, &attr) < 0)
385 return 0;
386 return attr.version2 != NULL;
387 }
388
389
390 /**
391 * wps_build_assoc_req_ie - Build WPS IE for (Re)Association Request
392 * @req_type: Value for Request Type attribute
393 * Returns: WPS IE or %NULL on failure
394 *
395 * The caller is responsible for freeing the buffer.
396 */
397 struct wpabuf * wps_build_assoc_req_ie(enum wps_request_type req_type)
398 {
399 struct wpabuf *ie;
400 u8 *len;
401
402 wpa_printf(MSG_DEBUG, "WPS: Building WPS IE for (Re)Association "
403 "Request");
404 ie = wpabuf_alloc(100);
405 if (ie == NULL)
406 return NULL;
407
408 wpabuf_put_u8(ie, WLAN_EID_VENDOR_SPECIFIC);
409 len = wpabuf_put(ie, 1);
410 wpabuf_put_be32(ie, WPS_DEV_OUI_WFA);
411
412 if (wps_build_version(ie) ||
413 wps_build_req_type(ie, req_type) ||
414 wps_build_wfa_ext(ie, 0, NULL, 0)) {
415 wpabuf_free(ie);
416 return NULL;
417 }
418
419 *len = wpabuf_len(ie) - 2;
420
421 return ie;
422 }
423
424
425 /**
426 * wps_build_assoc_resp_ie - Build WPS IE for (Re)Association Response
427 * Returns: WPS IE or %NULL on failure
428 *
429 * The caller is responsible for freeing the buffer.
430 */
431 struct wpabuf * wps_build_assoc_resp_ie(void)
432 {
433 struct wpabuf *ie;
434 u8 *len;
435
436 wpa_printf(MSG_DEBUG, "WPS: Building WPS IE for (Re)Association "
437 "Response");
438 ie = wpabuf_alloc(100);
439 if (ie == NULL)
440 return NULL;
441
442 wpabuf_put_u8(ie, WLAN_EID_VENDOR_SPECIFIC);
443 len = wpabuf_put(ie, 1);
444 wpabuf_put_be32(ie, WPS_DEV_OUI_WFA);
445
446 if (wps_build_version(ie) ||
447 wps_build_resp_type(ie, WPS_RESP_AP) ||
448 wps_build_wfa_ext(ie, 0, NULL, 0)) {
449 wpabuf_free(ie);
450 return NULL;
451 }
452
453 *len = wpabuf_len(ie) - 2;
454
455 return ie;
456 }
457
458
459 /**
460 * wps_build_probe_req_ie - Build WPS IE for Probe Request
461 * @pw_id: Password ID (DEV_PW_PUSHBUTTON for active PBC and DEV_PW_DEFAULT for
462 * most other use cases)
463 * @dev: Device attributes
464 * @uuid: Own UUID
465 * @req_type: Value for Request Type attribute
466 * @num_req_dev_types: Number of requested device types
467 * @req_dev_types: Requested device types (8 * num_req_dev_types octets) or
468 * %NULL if none
469 * Returns: WPS IE or %NULL on failure
470 *
471 * The caller is responsible for freeing the buffer.
472 */
473 struct wpabuf * wps_build_probe_req_ie(u16 pw_id, struct wps_device_data *dev,
474 const u8 *uuid,
475 enum wps_request_type req_type,
476 unsigned int num_req_dev_types,
477 const u8 *req_dev_types)
478 {
479 struct wpabuf *ie;
480
481 wpa_printf(MSG_DEBUG, "WPS: Building WPS IE for Probe Request");
482
483 ie = wpabuf_alloc(500);
484 if (ie == NULL)
485 return NULL;
486
487 if (wps_build_version(ie) ||
488 wps_build_req_type(ie, req_type) ||
489 wps_build_config_methods(ie, dev->config_methods) ||
490 wps_build_uuid_e(ie, uuid) ||
491 wps_build_primary_dev_type(dev, ie) ||
492 wps_build_rf_bands(dev, ie) ||
493 wps_build_assoc_state(NULL, ie) ||
494 wps_build_config_error(ie, WPS_CFG_NO_ERROR) ||
495 wps_build_dev_password_id(ie, pw_id) ||
496 #ifdef CONFIG_WPS2
497 wps_build_manufacturer(dev, ie) ||
498 wps_build_model_name(dev, ie) ||
499 wps_build_model_number(dev, ie) ||
500 wps_build_dev_name(dev, ie) ||
501 wps_build_wfa_ext(ie, req_type == WPS_REQ_ENROLLEE, NULL, 0) ||
502 #endif /* CONFIG_WPS2 */
503 wps_build_req_dev_type(dev, ie, num_req_dev_types, req_dev_types)
504 ||
505 wps_build_secondary_dev_type(dev, ie)
506 ) {
507 wpabuf_free(ie);
508 return NULL;
509 }
510
511 #ifndef CONFIG_WPS2
512 if (dev->p2p && wps_build_dev_name(dev, ie)) {
513 wpabuf_free(ie);
514 return NULL;
515 }
516 #endif /* CONFIG_WPS2 */
517
518 return wps_ie_encapsulate(ie);
519 }
520
521
522 void wps_free_pending_msgs(struct upnp_pending_message *msgs)
523 {
524 struct upnp_pending_message *p, *prev;
525 p = msgs;
526 while (p) {
527 prev = p;
528 p = p->next;
529 wpabuf_free(prev->msg);
530 os_free(prev);
531 }
532 }
533
534
535 int wps_attr_text(struct wpabuf *data, char *buf, char *end)
536 {
537 struct wps_parse_attr attr;
538 char *pos = buf;
539 int ret;
540
541 if (wps_parse_msg(data, &attr) < 0)
542 return -1;
543
544 if (attr.wps_state) {
545 if (*attr.wps_state == WPS_STATE_NOT_CONFIGURED)
546 ret = os_snprintf(pos, end - pos,
547 "wps_state=unconfigured\n");
548 else if (*attr.wps_state == WPS_STATE_CONFIGURED)
549 ret = os_snprintf(pos, end - pos,
550 "wps_state=configured\n");
551 else
552 ret = 0;
553 if (ret < 0 || ret >= end - pos)
554 return pos - buf;
555 pos += ret;
556 }
557
558 if (attr.ap_setup_locked && *attr.ap_setup_locked) {
559 ret = os_snprintf(pos, end - pos,
560 "wps_ap_setup_locked=1\n");
561 if (ret < 0 || ret >= end - pos)
562 return pos - buf;
563 pos += ret;
564 }
565
566 if (attr.selected_registrar && *attr.selected_registrar) {
567 ret = os_snprintf(pos, end - pos,
568 "wps_selected_registrar=1\n");
569 if (ret < 0 || ret >= end - pos)
570 return pos - buf;
571 pos += ret;
572 }
573
574 if (attr.dev_password_id) {
575 ret = os_snprintf(pos, end - pos,
576 "wps_device_password_id=%u\n",
577 WPA_GET_BE16(attr.dev_password_id));
578 if (ret < 0 || ret >= end - pos)
579 return pos - buf;
580 pos += ret;
581 }
582
583 if (attr.sel_reg_config_methods) {
584 ret = os_snprintf(pos, end - pos,
585 "wps_selected_registrar_config_methods="
586 "0x%04x\n",
587 WPA_GET_BE16(attr.sel_reg_config_methods));
588 if (ret < 0 || ret >= end - pos)
589 return pos - buf;
590 pos += ret;
591 }
592
593 if (attr.primary_dev_type) {
594 char devtype[WPS_DEV_TYPE_BUFSIZE];
595 ret = os_snprintf(pos, end - pos,
596 "wps_primary_device_type=%s\n",
597 wps_dev_type_bin2str(attr.primary_dev_type,
598 devtype,
599 sizeof(devtype)));
600 if (ret < 0 || ret >= end - pos)
601 return pos - buf;
602 pos += ret;
603 }
604
605 if (attr.dev_name) {
606 char *str = os_malloc(attr.dev_name_len + 1);
607 size_t i;
608 if (str == NULL)
609 return pos - buf;
610 for (i = 0; i < attr.dev_name_len; i++) {
611 if (attr.dev_name[i] < 32)
612 str[i] = '_';
613 else
614 str[i] = attr.dev_name[i];
615 }
616 str[i] = '\0';
617 ret = os_snprintf(pos, end - pos, "wps_device_name=%s\n", str);
618 os_free(str);
619 if (ret < 0 || ret >= end - pos)
620 return pos - buf;
621 pos += ret;
622 }
623
624 if (attr.config_methods) {
625 ret = os_snprintf(pos, end - pos,
626 "wps_config_methods=0x%04x\n",
627 WPA_GET_BE16(attr.config_methods));
628 if (ret < 0 || ret >= end - pos)
629 return pos - buf;
630 pos += ret;
631 }
632
633 return pos - buf;
634 }
Unnamed repository; edit this file 'description' to name the repository.